SHOW:
|
|
- or go back to the newest paste.
1 | #!/bin/sh | |
2 | #------------------------------------------------------------------------------ | |
3 | # | |
4 | # File: SIG-antiDDoS.sh | |
5 | # | |
6 | # Compiler: Ruslan Abuzant <ruslan@abuzant.com> | |
7 | # PS> Collected From Lots Of Sources | |
8 | # PS> Credits: Real Authors (no idea) | |
9 | # | |
10 | # URL: http://www.liteforex.org/ | |
11 | # | |
12 | # License: GNU GPL (version 2, or any later version). | |
13 | # | |
14 | # Configuration. | |
15 | #------------------------------------------------------------------------------ | |
16 | ||
17 | # For debugging use iptables -v. | |
18 | IPTABLES="/sbin/iptables" | |
19 | IP6TABLES="/sbin/ip6tables" | |
20 | MODPROBE="/sbin/modprobe" | |
21 | RMMOD="/sbin/rmmod" | |
22 | ARP="/usr/sbin/arp" | |
23 | ||
24 | ||
25 | # Logging options. | |
26 | #------------------------------------------------------------------------------ | |
27 | LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" | |
28 | LOG="$LOG --log-ip-options" | |
29 | ||
30 | ||
31 | # Defaults for rate limiting | |
32 | #------------------------------------------------------------------------------ | |
33 | RLIMIT="-m limit --limit 3/s --limit-burst 8" | |
34 | ||
35 | ||
36 | # Unprivileged ports. | |
37 | #------------------------------------------------------------------------------ | |
38 | PHIGH="1024:65535" | |
39 | PSSH="1000:1023" | |
40 | ||
41 | ||
42 | # Load required kernel modules | |
43 | #------------------------------------------------------------------------------ | |
44 | $MODPROBE ip_conntrack_ftp | |
45 | $MODPROBE ip_conntrack_irc | |
46 | ||
47 | ||
48 | # Mitigate ARP spoofing/poisoning and similar attacks. | |
49 | #------------------------------------------------------------------------------ | |
50 | # Hardcode static ARP cache entries here | |
51 | # $ARP -s IP-ADDRESS MAC-ADDRESS | |
52 | ||
53 | ||
54 | # Kernel configuration. | |
55 | #------------------------------------------------------------------------------ | |
56 | ||
57 | # Disable IP forwarding. | |
58 | # On => Off = (reset) | |
59 | echo 1 > /proc/sys/net/ipv4/ip_forward | |
60 | echo 0 > /proc/sys/net/ipv4/ip_forward | |
61 | ||
62 | # Enable IP spoofing protection | |
63 | for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done | |
64 | ||
65 | # Protect against SYN flood attacks | |
66 | echo 1 > /proc/sys/net/ipv4/tcp_syncookies | |
67 | ||
68 | # Ignore all incoming ICMP echo requests | |
69 | echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all | |
70 | ||
71 | # Ignore ICMP echo requests to broadcast | |
72 | echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts | |
73 | ||
74 | # Log packets with impossible addresses. | |
75 | for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done | |
76 | ||
77 | # Don't log invalid responses to broadcast | |
78 | echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses | |
79 | ||
80 | # Don't accept or send ICMP redirects. | |
81 | for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done | |
82 | for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done | |
83 | ||
84 | # Don't accept source routed packets. | |
85 | for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done | |
86 | ||
87 | # Disable multicast routing | |
88 | for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done | |
89 | ||
90 | # Disable proxy_arp. | |
91 | for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done | |
92 | ||
93 | # Enable secure redirects, i.e. only accept ICMP redirects for gateways | |
94 | # Helps against MITM attacks. | |
95 | for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done | |
96 | ||
97 | # Disable bootp_relay | |
98 | for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done | |
99 | ||
100 | # Default policies. | |
101 | #------------------------------------------------------------------------------ | |
102 | ||
103 | # Drop everything by default. | |
104 | $IPTABLES -P INPUT DROP | |
105 | $IPTABLES -P FORWARD DROP | |
106 | $IPTABLES -P OUTPUT DROP | |
107 | ||
108 | # Set the nat/mangle/raw tables' chains to ACCEPT | |
109 | $IPTABLES -t nat -P PREROUTING ACCEPT | |
110 | $IPTABLES -t nat -P OUTPUT ACCEPT | |
111 | $IPTABLES -t nat -P POSTROUTING ACCEPT | |
112 | ||
113 | $IPTABLES -t mangle -P PREROUTING ACCEPT | |
114 | $IPTABLES -t mangle -P INPUT ACCEPT | |
115 | $IPTABLES -t mangle -P FORWARD ACCEPT | |
116 | $IPTABLES -t mangle -P OUTPUT ACCEPT | |
117 | $IPTABLES -t mangle -P POSTROUTING ACCEPT | |
118 | ||
119 | # Cleanup. | |
120 | #------------------------------------------------------------------------------ | |
121 | ||
122 | # Delete all | |
123 | $IPTABLES -F | |
124 | $IPTABLES -t nat -F | |
125 | $IPTABLES -t mangle -F | |
126 | ||
127 | # Delete all | |
128 | $IPTABLES -X | |
129 | $IPTABLES -t nat -X | |
130 | $IPTABLES -t mangle -X | |
131 | ||
132 | # Zero all packets and counters. | |
133 | $IPTABLES -Z | |
134 | $IPTABLES -t nat -Z | |
135 | $IPTABLES -t mangle -Z | |
136 | ||
137 | # Completely disable IPv6. | |
138 | #------------------------------------------------------------------------------ | |
139 | ||
140 | # Block all IPv6 traffic | |
141 | # If the ip6tables command is available, try to block all IPv6 traffic. | |
142 | if test -x $IP6TABLES; then | |
143 | # Set the default policies | |
144 | # drop everything | |
145 | $IP6TABLES -P INPUT DROP 2>/dev/null | |
146 | $IP6TABLES -P FORWARD DROP 2>/dev/null | |
147 | $IP6TABLES -P OUTPUT DROP 2>/dev/null | |
148 | ||
149 | # The mangle table can pass everything | |
150 | $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null | |
151 | $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null | |
152 | $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null | |
153 | $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null | |
154 | $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null | |
155 | ||
156 | # Delete all rules. | |
157 | $IP6TABLES -F 2>/dev/null | |
158 | $IP6TABLES -t mangle -F 2>/dev/null | |
159 | ||
160 | # Delete all chains. | |
161 | $IP6TABLES -X 2>/dev/null | |
162 | $IP6TABLES -t mangle -X 2>/dev/null | |
163 | ||
164 | # Zero all packets and counters. | |
165 | $IP6TABLES -Z 2>/dev/null | |
166 | $IP6TABLES -t mangle -Z 2>/dev/null | |
167 | fi | |
168 | ||
169 | # Custom user-defined chains. | |
170 | #------------------------------------------------------------------------------ | |
171 | ||
172 | # LOG packets, then ACCEPT. | |
173 | $IPTABLES -N ACCEPTLOG | |
174 | $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " | |
175 | $IPTABLES -A ACCEPTLOG -j ACCEPT | |
176 | ||
177 | # LOG packets, then DROP. | |
178 | $IPTABLES -N DROPLOG | |
179 | $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " | |
180 | $IPTABLES -A DROPLOG -j DROP | |
181 | ||
182 | # LOG packets, then REJECT. | |
183 | # TCP packets are rejected with a TCP reset. | |
184 | $IPTABLES -N REJECTLOG | |
185 | $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " | |
186 | $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset | |
187 | $IPTABLES -A REJECTLOG -j REJECT | |
188 | ||
189 | # Only allows RELATED ICMP types | |
190 | # (destination-unreachable, time-exceeded, and parameter-problem). | |
191 | # TODO: Rate-limit this traffic? | |
192 | # TODO: Allow fragmentation-needed? | |
193 | # TODO: Test. | |
194 | $IPTABLES -N RELATED_ICMP | |
195 | $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT | |
196 | $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT | |
197 | $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT | |
198 | $IPTABLES -A RELATED_ICMP -j DROPLOG | |
199 | ||
200 | # Make It Even Harder To Multi-PING | |
201 | $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT | |
202 | $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: | |
203 | $IPTABLES -A INPUT -p icmp -j DROP | |
204 | $IPTABLES -A OUTPUT -p icmp -j ACCEPT | |
205 | ||
206 | # Only allow the minimally required/recommended parts of ICMP. Block the rest. | |
207 | #------------------------------------------------------------------------------ | |
208 | ||
209 | # TODO: This section needs a lot of testing! | |
210 | ||
211 | # First, drop all fragmented ICMP packets (almost always malicious). | |
212 | $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG | |
213 | $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG | |
214 | $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG | |
215 | ||
216 | # Allow all ESTABLISHED ICMP traffic. | |
217 | $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT | |
218 | $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT | |
219 | ||
220 | # Allow some parts of the RELATED ICMP traffic, block the rest. | |
221 | $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT | |
222 | $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT | |
223 | ||
224 | # Allow incoming ICMP echo requests (ping), but only rate-limited. | |
225 | $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT | |
226 | ||
227 | # Allow outgoing ICMP echo requests (ping), but only rate-limited. | |
228 | $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT | |
229 | ||
230 | # Drop any other ICMP traffic. | |
231 | $IPTABLES -A INPUT -p icmp -j DROPLOG | |
232 | $IPTABLES -A OUTPUT -p icmp -j DROPLOG | |
233 | $IPTABLES -A FORWARD -p icmp -j DROPLOG | |
234 | ||
235 | # Selectively allow certain special types of traffic. | |
236 | #------------------------------------------------------------------------------ | |
237 | ||
238 | # Allow loopback interface to do anything. | |
239 | $IPTABLES -A INPUT -i lo -j ACCEPT | |
240 | $IPTABLES -A OUTPUT -o lo -j ACCEPT | |
241 | ||
242 | # Allow incoming connections related to existing allowed connections. | |
243 | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
244 | ||
245 | # Allow outgoing connections EXCEPT invalid | |
246 | $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
247 | ||
248 | # Miscellaneous. | |
249 | #------------------------------------------------------------------------------ | |
250 | ||
251 | # We don't care about Milkosoft, Drop SMB/CIFS/etc.. | |
252 | $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP | |
253 | $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP | |
254 | ||
255 | # Explicitly drop invalid incoming traffic | |
256 | $IPTABLES -A INPUT -m state --state INVALID -j DROP | |
257 | ||
258 | # Drop invalid outgoing traffic, too. | |
259 | $IPTABLES -A OUTPUT -m state --state INVALID -j DROP | |
260 | ||
261 | # If we would use NAT, INVALID packets would pass - BLOCK them anyways | |
262 | $IPTABLES -A FORWARD -m state --state INVALID -j DROP | |
263 | ||
264 | # PORT Scanners (stealth also) | |
265 | $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP | |
266 | $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP | |
267 | ||
268 | # TODO: Some more anti-spoofing rules? For example: | |
269 | # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP | |
270 | # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP | |
271 | # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | |
272 | $IPTABLES -N SYN_FLOOD | |
273 | $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD | |
274 | $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN | |
275 | $IPTABLES -A SYN_FLOOD -j DROP | |
276 | ||
277 | # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php). | |
278 | # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG | |
279 | ||
280 | # Drop any traffic from IANA-reserved IPs. | |
281 | #------------------------------------------------------------------------------ | |
282 | ||
283 | $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP | |
284 | $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP | |
285 | $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP | |
286 | $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP | |
287 | $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP | |
288 | $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP | |
289 | $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP | |
290 | $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP | |
291 | $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP | |
292 | $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP | |
293 | $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP | |
294 | $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP | |
295 | $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP | |
296 | $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP | |
297 | $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP | |
298 | $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP | |
299 | $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP | |
300 | $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP | |
301 | $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP | |
302 | $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP | |
303 | $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP | |
304 | $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP | |
305 | $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP | |
306 | $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP | |
307 | $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP | |
308 | $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP | |
309 | $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP | |
310 | $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP | |
311 | $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP | |
312 | $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP | |
313 | ||
314 | # Selectively allow certain outbound connections, block the rest. | |
315 | #------------------------------------------------------------------------------ | |
316 | ||
317 | # Allow outgoing DNS requests. Few things will work without this. | |
318 | $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT | |
319 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT | |
320 | ||
321 | # Allow outgoing HTTP requests. Unencrypted, use with care. | |
322 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT | |
323 | ||
324 | # Allow outgoing HTTPS requests. | |
325 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT | |
326 | ||
327 | # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP! | |
328 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT | |
329 | ||
330 | # Allow outgoing "submission" (RFC 2476) requests. | |
331 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT | |
332 | ||
333 | # Allow outgoing POP3S requests. | |
334 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT | |
335 | ||
336 | # Allow outgoing SSH requests. | |
337 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT | |
338 | ||
339 | # Allow outgoing FTP requests. Unencrypted, use with care. | |
340 | $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT | |
341 | ||
342 | # Allow outgoing NNTP requests. Unencrypted, use with care. | |
343 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT | |
344 | ||
345 | # Allow outgoing NTP requests. Unencrypted, use with care. | |
346 | # $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT | |
347 | ||
348 | # Allow outgoing IRC requests. Unencrypted, use with care. | |
349 | # Note: This usually needs the ip_conntrack_irc kernel module. | |
350 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT | |
351 | ||
352 | # Allow outgoing requests to various proxies. Unencrypted, use with care. | |
353 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT | |
354 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT | |
355 | ||
356 | # Allow outgoing DHCP requests. Unencrypted, use with care. | |
357 | # TODO: This is completely untested, I have no idea whether it works! | |
358 | # TODO: I think this can be tightened a bit more. | |
359 | $IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT | |
360 | ||
361 | # Allow outgoing CVS requests. Unencrypted, use with care. | |
362 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT | |
363 | ||
364 | # Allow outgoing MySQL requests. Unencrypted, use with care. | |
365 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT | |
366 | ||
367 | # Allow outgoing SVN requests. Unencrypted, use with care. | |
368 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT | |
369 | ||
370 | # Allow outgoing PLESK requests. Unencrypted, use with care. | |
371 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT | |
372 | ||
373 | # Allow outgoing Tor (http://tor.eff.org) requests. | |
374 | # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)! | |
375 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT | |
376 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT | |
377 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT | |
378 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT | |
379 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT | |
380 | # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT | |
381 | ||
382 | # Allow outgoing OpenVPN requests. | |
383 | $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT | |
384 | ||
385 | # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... | |
386 | ||
387 | # Selectively allow certain inbound connections, block the rest. | |
388 | #------------------------------------------------------------------------------ | |
389 | ||
390 | # Allow incoming DNS requests. | |
391 | $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT | |
392 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT | |
393 | ||
394 | # Allow incoming HTTP requests. | |
395 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT | |
396 | ||
397 | # Allow incoming HTTPS requests. | |
398 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT | |
399 | ||
400 | # Allow incoming POP3 requests. | |
401 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT | |
402 | ||
403 | # Allow incoming IMAP4 requests. | |
404 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT | |
405 | ||
406 | # Allow incoming POP3S requests. | |
407 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT | |
408 | ||
409 | # Allow incoming SMTP requests. | |
410 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT | |
411 | ||
412 | # Allow incoming SSH requests. | |
413 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT | |
414 | ||
415 | # Allow incoming FTP requests. | |
416 | $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT | |
417 | ||
418 | # Allow incoming NNTP requests. | |
419 | # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT | |
420 | ||
421 | # Allow incoming MySQL requests. | |
422 | # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT | |
423 | ||
424 | # Allow incoming PLESK requests. | |
425 | # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT | |
426 | ||
427 | # Allow incoming BitTorrent requests. | |
428 | # TODO: Are these already handled by ACCEPTing established/related traffic? | |
429 | # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT | |
430 | # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT | |
431 | ||
432 | # Allow incoming nc requests. | |
433 | # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT | |
434 | # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT | |
435 | ||
436 | # Explicitly log and reject everything else. | |
437 | #------------------------------------------------------------------------------ | |
438 | # Use REJECT instead of REJECTLOG if you don't need/want logging. | |
439 | $IPTABLES -A INPUT -j REJECTLOG | |
440 | $IPTABLES -A OUTPUT -j REJECTLOG | |
441 | $IPTABLES -A FORWARD -j REJECTLOG | |
442 | ||
443 | ||
444 | #------------------------------------------------------------------------------ | |
445 | # Testing the firewall. | |
446 | #------------------------------------------------------------------------------ | |
447 | ||
448 | # You should check/test that the firewall really works, using | |
449 | # iptables -vnL, nmap, ping, telnet, ... | |
450 | ||
451 | # Exit gracefully. | |
452 | #------------------------------------------------------------------------------ | |
453 | ## write to boot if needed? | |
454 | ### iptables-save > /etc/sysconfig/iptables ?? | |
455 | exit 0 |